DETAILED ACTION
Claims 1-20 are pending.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This final office action is in response to the applicant’s response received on 10/16/2025, for the non-final office action mailed on 07/16/2025.
Examiner’s Notes
Examiner has cited particular columns and line numbers, paragraph numbers, or figures in the references as applied to the claims below for the convenience of the applicant. Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested from the applicant, in preparing the responses, to fully consider the references in entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the examiner.
Response to Arguments
Applicant’s arguments filed 10/16/2025 regarding the double patenting rejection have been considered and is withdrawn with the filing of the terminal disclaimer in compliance with 37 C.F.R. § 1.321.
Applicant's arguments filed 10/16/2025 regarding rejection made under 35 U.S.C. § 101 have been fully considered but they are not persuasive.
Applicant argues the specification provides sufficient details in which one of ordinary skills in the art would recognize the claimed invention as providing an improvement, see applicant’s remarks pp. 8-10. Examiner respectfully disagrees as the claims are only determining that a request message indicates a vulnerability but does not do anything to mitigate the vulnerability. Applicant discusses specification-recited techniques for mitigating said vulnerabilities yet these mitigations are not claimed.
Applicant further argues the specific improvements to computing technology described by the specification are also incorporated into the claim, see applicant’s remarks pp. 10-11. Examiner respectfully disagrees as applicant just provided claim recitation without providing any explanation into how the claims specify an improvement to computing technology.
Furthermore, applicant argues claim 1 covers a particular solution to a problem in a particular way to achieve a desired outcome, as opposed to merely claiming an idea of a solution or outcome, see applicant’s remarks pp. 11. Examiner respectfully disagrees applicant argues the claim is a particular solution and not merely detecting a vulnerability yet the end of the claim stops at determining a vulnerability and doing nothing further to mitigate said vulnerability.
Finally, applicant argues the improvement disclosed and recited in claim 1 is not provided by the judicial exception alone, see applicant’s remarks pp. 11-12. Examiner respectfully disagrees as mentioned above the claim does not recite an improvement. The claim merely recites mental processes and additional elements that do not integrate the mental processes into practical application nor amount to significantly more. This limitation was not analyzed under mental process but instead as an additional element under MPEP § 2106.05(g).
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.
Statutory Category: Claim 1, 9 and 17 are directed to a system, method and non-transitory machine-readable medium, respectively. Therefore, the claim is directed to one of the four statutory categories of invention.
Step 2A – Prong 1: Claim 1, 9 and 17 recites, determining that a first request message of the plurality of request messages describes a state changing request, the determining based at least in part on a first response message generated by the web application in response to the first request message; selecting the first request message for use in generating a first tampered request message, the selecting being based at least in part on the determining that the first request message describes a state changing request; determining that the first request message is a post-authentication request message sent to the web application after a user associated with the first request message has been authenticated to the web application; generating the first tampered request message based at least in part on the first request message and on the determining that the first request message is a post-authentication request message; determining that the first request message indicates a vulnerability of the web application, the determining based at least in part on the first tampered request message and a first traffic-tampered response message generated by the web application in response to the first tampered request message. These limitations as drafted, is a process that, under their broadest reasonable interpretation, covers an abstract idea such as performance of the limitation in the mind. That is, other than a generic computer, nothing in the claim elements precludes the steps from practically being performed mentally. Specifically, “determining that a first request message of the plurality of request messages describes a state changing request, the determining based at least in part on a first response message generated by the web application in response to the first request message”, can be performed mentally through observation, evaluation, judgement, opinion of a developer looking at a first response message. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the category of abstract idea mental process. Accordingly, the claim recites an abstract idea under step 2A prong 1.
Step 2A-Prong 2: The additional elements do not integrate the judicial exception into a practical application. The limitations “a system for detecting vulnerabilities in a web application, the system comprising”, “a method for detecting vulnerabilities in a web application, the method comprising”, and “a non-transitory machine-readable medium comprising instructions thereon that” recites field of use/technological environment (2106.05(h)). The limitations “a programmable processor; and a non-transitory machine-readable medium comprising instructions thereon that, when executed by the programmable processor, cause the programmable processor to perform operations comprising”, and “when executed by a programmable processor, cause the programmable processor to perform operations comprising” recites generic computer as a tool to apply an abstract idea (see MPEP 2106.05(f)). The limitations “directing a plurality of request messages to a web application executed at a remote computing device” and “directing the first tampered request message to the web application” add insignificant extra-solution activity such as data transmission (see MPEP 2106.05(g)). Accordingly, the additional elements recited in the claims do not integrate the abstract idea into a practical application.
Step 2B: As discussed with respect to step 2A prong 2, the additional elements “a system for detecting vulnerabilities in a web application, the system comprising”, “a method for detecting vulnerabilities in a web application, the method comprising”, and “a non-transitory machine-readable medium comprising instructions thereon that” merely recites field of use/technological environment (2106.05(h)). The limitations “a programmable processor; and a non-transitory machine-readable medium comprising instructions thereon that, when executed by the programmable processor, cause the programmable processor to perform operations comprising”, and “when executed by a programmable processor, cause the programmable processor to perform operations comprising” recites mere instructions to implement an abstract idea on a computer, or merely uses a generic computer as a tool to apply an abstract idea (see MPEP 2106.05(f)). The limitations “directing a plurality of request messages to a web application executed at a remote computing device” and “directing the first tampered request message to the web application” amount to well-understood, routine conventional activities as seen in court case receiving or transmitting data over a network, e.g., using the Internet to gather data, Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362 (utilizing an intermediary computer to forward information). Accordingly, the claim do not amount to significantly more than the judicial exception, thus lack an inventive concept for patent eligibility under 35 U.S.C. § 101.
Regarding claims 2-8, 10-16 and 18-20, “wherein determining that the first request message describes a state changing request further comprises determining that the first response message comprises more than a threshold number of cookies,” “wherein determining that the first request message describes a state changing request further comprises determining that the first request message comprises a first keyword,” “the operations further comprising: determining that a second request message of the plurality of request messages describes a state changing request; selecting the second request message for use in generating a second tampered request message; determining that the second request message is a pre-authentication request message; and generating the second tampered request message at least in part by: modifying a referrer header field of the second request message; and removing at least one cookie from the second request message,” “the generating of the first tampered request message comprising: modifying a referrer header field of the first request message; and replacing at least a portion of a body of the first request message,” “the operations further comprising determining that a first field of the first response message matches a corresponding field of the first traffic-tampered response message,” “the operations further comprising determining that a first test exit code associated with the first response message matches a second test exit code associated with the first traffic-tampered response message,” and “the operations further comprising determining that the first traffic-tampered response message indicates a result requested by the first tampered request message” further recites abstract ideas. Thus, these limitations do not integrate the judicial exception into a practical application under prong 2, or amounts to significantly more under Step 2B.
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LENIN PAULINO whose telephone number is (571)270-1734. The examiner can normally be reached Week 1: Mon-Thu 7:30am - 5:00pm Week 2: Mon-Thu 7:30am - 5:00pm and Fri 7:30am - 4:00pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Bradley Teets can be reached at (571) 272-3338. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/LENIN PAULINO/Examiner, Art Unit 2197 /BRADLEY A TEETS/Supervisory Patent Examiner, Art Unit 2197